ESA AND ISO 27001

Keeping the European Space Agency in Orbit

With sites in a variety of different countries, the European Space Agency (ESA) is Europe’s gateway to the galaxy. With vast amounts of sensitive information and confidential data, ESA decided to work with NQA to become certified to ISO 27001 to help ensure its most important assets are safe.

ISO 27001 Certification

ISO 27001 certification through NQA means that ESA has achieved its objective of having a robust, clearly defined and continually improving information security management system (ISMS).

The European Space Agency (ESA) is an international organisation with 20 member states. Its mission is to shape the development of the continent’s space capability and ensure that investment continues to deliver benefits. By coordinating the financial and intellectual resources of its members, it undertakes programmes and activities far beyond the scope of any single European country therefore the upmost discretion to its information is required.

Space race

2014 is a milestone year for Europe as it looks back with pride on 50 years of space cooperation. With over 2,000 employees and an annual budget of over €4bn, ESA’s job is to draw up the European space programme and carry it through. Its programmes are designed to find out more about Earth, its immediate space environment, our solar system and the universe, as well as to develop satellitebased technologies and promote European industries.

The latest instalment of ESA’s story is the launch of Sentinel-1A, a mission that will scan land and oceans using advanced radar technology to deliver imagery. Part of Europe’s Copernicus programme, Sentinel-1A was put into orbit by a Soyuz launch vehicle from Europe’s Spaceport in Kourou, French Guiana.

Confidentiality and Integrity

ESA already had a mechanism in place to ensure the security of its data, minimise risk and protect stakeholder information via its information security management system (ISMS). In 2009 it decided to formalise this into its overall Mission Operations Infrastructure (MOI) and in 2011 opted to work towards ISO 27001 Certification.

ISO 27001 is the international standard for ISMS and with over 15,000 certificates issued in 117 countries it provides a framework that ensures only authorised users have access to information, whilst maintaining its confidentiality and integrity as well as legal compliance. It helps to protect against potential security threats including vandalism, terrorism, fire, misuse, theft and cyber-attack.

After a successful external audit, conducted in April 2013, ESA’s MOI achieved its goal. Alfio Mantineo, head of the Directorate of Human Spaceflight and Operations’ (HSO) Quality & Safety Office at ESA, says,

‘The MOI covers our entire infrastructure including the operational ground facilities at ESA’s Space Operations Centre (ESOC) in Darmstadt, Germany, and our European Space Tracking (ESTRACK) ground stations in Cebreros and Villafranca in Spain, where the audit was conducted by NQA. It alsocovers the ground data systems for mission and ground station control, navigation, flight dynamics and test facilities, as well as the supporting IT and communication systems.’

Systematic approach

ESA has worked closely with NQA since 1999, when it became certified to ISO 9001, and the two organisations enjoy a highly productive working relationship. Asked why ISO 27001 was considered the most suitable standard for its needs, Mantineo replies,

‘We wanted a more systematic approach to our ISMS activities. NQA made it clear that certification would allow us to demonstrate full compliance with the ESA Security Directives and show to member states, international partners and industry our on-going commitment to information security and data protection.’

ESA’s ISMS is continually modified and improved to remain fit for purpose. This process of continual improvement is based upon the Plan, Do, Check, Act structure pioneered by W Edwards Deming in the 1950s. It is used to ensure that the hazards and risks associated with ESA’s activities are systematically identified, assessed, controlled, monitored and continuously improved.

Stakeholder support

Mantineo’s objective of having a more systematic approach has been realised and refining the ISMS has simplified the definition of the organisation’s entire activity structure and how it is implemented.
He states,

‘It allows us to ensure close coordination and cooperation across our entire operation and has contributed to the effectiveness of our business continuity management system (BCMS) by linking it with ISMS documented procedures. Our internal stakeholders have also embraced it and we have conducted a number of campaigns to make them aware of the importance of what we’re doing in this area.’

Mission accomplished

ESA has a rigorous, dynamic and continually evolving approach to information security management, and Mantineo concludes,

‘Working with the NQA team is a real pleasure and they have been incredibly supportive throughout the whole process. We knew that they would challenge us but that, ultimately, it would help us get to where we wanted to be. We are extremely proud of our ISO 27001 certification and it has already proven to be highly beneficial to us.’